Plain language law

New Zealand law explained for everyone

Customer and Product Data Act 2025

Regulated data services - Main obligations - Customer data

16: Data holder may or must refuse request for data in certain circumstances

You could also call this:

“Sometimes people can say no when you ask for your information”

You should know that someone who holds your data can sometimes say no when you or someone else asks for it. They can refuse if they think sharing the data might:

Put someone’s life, health, or safety at serious risk, or threaten public health or safety.

Lead to someone being seriously harassed.

Cause serious money problems for anyone.

The data holder can also say no if they think:

The request was made because of trickery.

Sharing the data could harm their computer systems or the data register.

You or the person asking for the data owes them money for answering data requests.

The person asking for your data hasn’t followed the rules in the law.

There are other reasons in the rules that let them refuse.

The data holder must say no if they think someone is being threatened to ask for the data.

When they think about serious threats, they look at how likely it is to happen, how bad it would be if it did happen, and when it might happen.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

This page was last updated on

View the original legislation for this page at https://legislation.govt.nz/act/public/1986/0120/latest/link.aspx?id=LMS922170.

Topics:
Money and consumer rights > Consumer protection Rights and equality > Privacy
Previous

15: Data holder must provide customer data to accredited requestor if customer’s authorisation is confirmed, or

"Give your info if you say it's okay and the asker is allowed"

Next

17: Sections 14 and 15 do not prevent request to access personal information being made in some other manner, or

"You can ask for your personal information in different ways"

Part 2 Regulated data services
Main obligations: Customer data

16Data holder may or must refuse request for data in certain circumstances

  1. Despite sections 14 and 15, a data holder may refuse to provide any data requested under either of those sections—

  2. if the disclosure of the data would be likely to pose a serious threat to the life, health, or safety of any individual, or to public health or public safety (see subsection (3)); or
    1. if the data holder reasonably believes that disclosure of the data would create a significant likelihood of serious harassment of an individual; or
      1. if the data holder reasonably believes that disclosure of the data would create a significant likelihood of serious financial harm to any person; or
        1. if the data holder reasonably believes that it is likely that the request was made (wholly or in part) as a consequence of deception; or
          1. if the data holder reasonably believes that disclosure of the data would be likely to have a materially adverse effect on the security, integrity, or stability of either or both of the following:
            1. the data holder’s information and communication technology systems:
              1. the register; or
              2. in the case of section 14, if the customer owes a debt to the data holder in relation to charges imposed for responding to the request; or
                1. in the case of section 15, if the accredited requestor owes a debt to the data holder in relation to charges imposed for responding to the request or providing any other regulated data services; or
                  1. in the case of section 15, if the data holder reasonably believes that the accredited requestor has contravened any obligation under this Act in connection with the request; or
                    1. in the circumstances prescribed in the regulations or standards.

                      1. Despite sections 14 and 15, a data holder must refuse to provide any data requested under either of those sections if the data holder has reasonable grounds to believe that the request is made under the threat of physical or mental harm.

                      2. In this Act, serious threat means a threat that a data holder reasonably believes to be a serious threat having regard to all of the following:

                      3. the likelihood of the threat being realised; and
                        1. the severity of the consequences if the threat is realised; and
                          1. the time at which the threat may be realised.